Drop min password length to 8(?), and implement zxcvbn on at least the client side, to encourage stronger (math says with bcrypt w/cost 10 and modern expensive hardware, a single computer can chew through 37 bits of entropy in a year). For zxcvbn we should require a strength of 4/4 - specifically > 1 year to crack with the "slow hash" estimate. Nothing lesser is acceptable.
This might require figuring out some kind of vendors system, both for the PHP and the JS... :P.
Drop min password length to 8(?), and implement zxcvbn on at least the client side, to encourage stronger (math says with bcrypt w/cost 10 and modern expensive hardware, a single computer can chew through 37 bits of entropy in a year). For
zxcvbn
we should require a strength of 4/4 - specifically > 1 year to crack with the "slow hash" estimate. Nothing lesser is acceptable.This might require figuring out some kind of vendors system, both for the PHP and the JS... :P.